msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.536.2025.12.04
Some checks failed
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-12-04 23:32:27 +01:00
parent 53009d97f7
commit 45f73f0d33
2 changed files with 15 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
README.md
View File

@@ -30,7 +30,7 @@ include_toc: true
**Build**: V8.13.536.2025.12.04<br>
**CISS.debian.live.builder — First of its own.**<br>
**World-class CIA designed, handcrafted and powered by Centurion Intelligence Consulting Agency.**
**World-class CIA: Designed, handcrafted and powered by Centurion Intelligence Consulting Agency.**
Developed and maintained as a one-man, security-driven engineering effort since 2024, **CISS.debian.live.builder** is designed
to serve as a reference implementation for hardened, image-based Debian deployments.
@@ -58,6 +58,15 @@ validation is enforced in a fail-closed manner: zones with invalid or broken sig
silently downgraded. Multicast name resolution via ``mDNS`` and ``LLMNR`` is disabled globally to avoid unintended name leakage
and spoofing surfaces.
Internally, the builder employs a dedicated secret-handling pipeline backed by a tmpfs-only secrets directory
(`/dev/shm/cdlb_secrets`). Sensitive material such as root passwords, SSH keys, and signing keys never appears on the command
line, is guarded by strict `0400 root:root` permissions, and any symlink inside the secret path is treated as a hard failure
that aborts the run. Critical code paths temporarily disable Bash xtrace so that credentials never leak into debug logs, and
transient secret files are shredded (`shred -fzu`) as soon as they are no longer needed. GNUPG homes used for signing are
wiped, unencrypted chroot artifacts and includes are removed after `lb build`, and the final artifact is reduced to the
encrypted SquashFS inside the LUKS2 container. At runtime, LUKS passphrases in the live ISO and installer are transported via
named pipes inside the initramfs instead of process arguments, further minimizing exposure in process listings.
Check out more leading world-class services powered by Centurion Intelligence Consulting Agency:
* [CenturionDNS Resolver](https://eddns.eu/)
* [CenturionDNS Blocklist](https://dns.eddns.eu/blocklists/centurion_titanium_ultimate.txt)